v0.4.3

This release focuses on security hardening, safer upload handling, more reliable long-running LangFlow triage jobs, and release/CI stabilization.

Security and Access Control

• Hardened authentication flows across password login, password changes, passkeys, OIDC, API key handling, CSRF bypasses, and admin reset paths.
• Prevented API keys from minting new API keys.
• Required valid API key authentication before allowing CSRF bypass behavior.
• Improved OIDC validation, including HTTPS discovery enforcement, supported signing algorithm checks, JWKS key matching, trusted issuer requirements for account linking, and safer redirect handling.
• Added WebSocket origin validation.
• Removed hardcoded LangFlow database password defaults.
• Disabled SQL echo by default to reduce accidental sensitive logging.
• Tightened LDAP TLS and filter template validation.
• Improved Fernet key derivation using HKDF.

Attachments and File Uploads

• Hardened direct-to-storage attachment upload finalization.
• Uploads now stage into temporary storage keys before server-side validation and final copy.
• Server validates upload ownership, expected storage prefixes, object size, checksum, detected MIME type, and declared MIME type before marking attachments complete.
• Script-capable MIME types such as HTML/SVG/XHTML are rejected.
• Download URLs now force attachment disposition.
• Frontend upload flow now performs MIME detection with Magika and sends the detected content type.

MCP and Timeline Safety

• Hardened MCP get_item authorization and lookup behavior.
• get_item now requires explicit parent scope via parent_entity_type and parent_entity_id, avoiding broad cross-entity timeline searches.
• Added repairable MCP error messages for clients still using the old hint_kind / hint_parent_id contract.
• Hardened timeline JSON handling and timeline URL sanitization.

Case, Alert, Task, and Recommendation Hardening

• Restricted destructive case mutations and dummy data mutations.
• Blocked unsafe task case reassignment.
• Blocked auditor enrichment enqueue.
• Locked triage recommendation review rows.
• Constrained alert relinking and allowed sort fields.
• Case deletion now records an audit snapshot before permanent deletion.

LangFlow and Background Jobs

• Added SSE streaming support for long-running LangFlow flows.
• Alert triage now uses streaming execution with a per-read timeout so healthy long-running jobs do not fail just because they exceed the old global timeout.
• Added idempotency protection for alert triage retries when a recommendation already exists.
• Adjusted task queue retry lease timing to avoid duplicate execution during in-worker retries.
• Reduced alert triage retries to avoid repeated expensive LLM/MCP work after genuine stream stalls.

Release, Containers, and CI

• Updated release workflow, detailed PR CI, migration compatibility workflow, and production smoke coverage.
• Added frontend production route smoke tests.
• Aligned release tests and dev containers.
• Improved frontend production smoke container stability.
• Updated Dockerfiles and quickstart defaults, including non-root container execution and security headers.
• Bumped managed release version files to 0.4.3.

Full Changelog: v0.4.2...v0.4.3

v0.4.2

v0.4.2

This release focuses on stability improvements for the timeline graph UI.

Release highlights

• Fixed multiple timeline graph resizing and rendering bugs in the frontend.
• Improved React Flow resize persistence so node and group size changes are saved correctly.
• Prevented child node drift when resizing grouped timeline nodes.
• Added internal developer guidance for working on the timeline graph component.
• Bumped app version from 0.4.1 to 0.4.2.

Fixed

• Resolved several bugs in the timeline graph view related to resizing and rendering.
• Fixed resize persistence so graph node dimensions and positions are saved correctly after resize operations.
• Fixed an issue where child nodes inside resized groups could visually shift after reload.
• Improved embedded timeline item previews by suppressing nested replies in compact graph previews.

Internal

• Added maintainer notes for the timeline graph component to document resize handling constraints and known pitfalls.
• Updated version metadata across the project for the 0.4.2 release.

Notable files changed

• frontend/src/components/timeline/TimelineGraphView.tsx
• frontend/src/components/timeline/TimelineItemRenderer.tsx
• frontend/src/components/timeline/AGENTS.md

v0.4.1

What's Changed

• Bump version to 0.4.1 and enhance entity metadata card by @glennbolton in #100

Full Changelog: v0.4.0...v0.4.1

v0.4.0

Intercept v0.4.0 Release Notes

Features

Timeline Graphs and Presence Awareness

This release adds a new graph view for case and task timelines, making it easier to map relationships between timeline items and collaborate while investigations are active.

• Added a timeline graph mode for cases and tasks with draggable, resizable timeline item nodes.
• Added support for grouping timeline items visually inside graph containers.
• Added labelled relationship edges between timeline items, including directional and bidirectional markers.
• Added proximity-based linking to make connecting related timeline items faster.
• Persisted graph layouts and relationships through new case/task timeline graph APIs.
• Added optimistic graph editing with revision-based conflict detection for concurrent updates.
• Added realtime graph update notifications so other viewers see changes without manual refresh.
• Added presence awareness for cases, tasks, and alerts so users can see when others are viewing the same entity.
• Added realtime toast notifications for timeline and graph changes made by other users.
• Added copyable timestamp UI improvements and timeline display refinements.
• Added backend migration, generated API client types, and frontend hooks for timeline graph data.
• Added backend and frontend test coverage for graph APIs, conflict handling, realtime presence, and graph hooks.

Security

• Enforced the read-only boundary for AUDITOR accounts across backend write paths. Previously, several authenticated backend endpoints still accepted auditor sessions even though auditors are intended to have read-only access.
• Fixed auditor access to mutating AI triage routes, including enqueueing recommendations, accepting recommendations that update alert/case/task state, and rejecting recommendations.
• Fixed auditor access to case bulk updates and dummy-data mutation routes.
• Fixed MCP write tools so auditor-owned API keys cannot commit triage decisions or timeline notes. Dry-run/read-only MCP behavior remains available, but commit=true operations now require a non-auditor user.
• Added regression tests covering auditor denial for REST write routes and MCP commit attempts, while preserving analyst write workflows.

Dependencies

• Updated backend dependencies for the 0.4.0 release branch: authlib >=1.6.9 -> >=1.7.0, cachetools 5.5.2 -> 7.0.6, fastapi 0.135.3 -> 0.136.1, fastmcp >=3.2.0 -> >=3.2.4, mitreattack-python 5.4.4 -> 5.4.7, psycopg2-binary 2.9.11 -> 2.9.12, pydantic-settings 2.12.0 -> 2.14.0, PyJWT[crypto] >=2.12.0 -> >=2.12.1, sse-starlette 3.3.4 -> 3.4.1, and cryptography >=46.0.6 -> >=47.0.0.
• Updated frontend dependencies for the 0.4.0 release branch: @lexical/rich-text ^0.35.0 -> ^0.43.0, @mdxeditor/editor ^3.53.1 -> ^3.55.0, @tanstack/react-query ^5.90.5 -> ^5.100.5, uuid ^13.0.0 -> ^14.0.0, eslint-plugin-react-hooks ^7.0.1 -> ^7.1.1, globals ^15.0.0 -> ^17.5.0, jsdom ^24.0.0 -> ^29.0.2, postcss ^8.4.32 -> ^8.5.10, and vite ^8.0.8 -> ^8.0.10.
• Deferred the red Dependabot updates for tailwindcss and react-router-dom; those are not included in this release.

Testing

• Added a path-filtered migration compatibility workflow that tests Alembic upgrades from the previous released GHCR images to the PR backend image, verifies the database reaches the current Alembic head, reruns migrations for idempotency, and smoke-tests backend startup.

v0.3.1

What's Changed

• Bump version: 0.2.1 → 0.3.0 by @glennbolton in #71
• chore: update dependencies and improve type safety by @glennbolton in #72

Full Changelog: v0.3.0...v0.3.1

v0.3.0

Release Notes — v0.3.0

Release range: v0.2.1 → v0.3.0 (5 PRs merged)

Highlights

This release focuses on frontend performance, MCP transport modernization, and security/dependency hygiene, along with mobile UX fixes.

---

🚀 Performance — Frontend Bundle Optimization (#68)

Major reduction in initial bundle size through aggressive code splitting and lazy loading. The entry chunk dropped from 4.66 MB to per-route chunks of 2–25 kB.

• Route-level splitting: React.lazy applied to all 22 page components in App.tsx.
• Syntax highlighter: Switched react-syntax-highlighter from full Prism (~280 languages) to PrismLight with 33 explicitly registered languages.
• Markdown editor: @mdxeditor/editor is now lazy-loaded — the ~1 MB editor chunk is fetched only when a markdown form mounts.
• Icons: Replaced the static lucide-react icon mapping (777 kB, ~1500 icons) with dynamic imports via lucide-react/dynamicIconImports (236 kB map; icons load on demand).
• Vendor chunking: Added manualChunks grouping (react, radix, query, markdown) for better long-term cache hits.
• Bundle analyzer: rollup-plugin-visualizer is now gated behind the ANALYZE env var.

🔌 MCP Transport — Streamable HTTP (#69)

Migrated the MCP server from the legacy SSE transport to the preferred Streamable HTTP transport.

• All /mcp/sse references replaced with /mcp/streamable/ across integration tests, unit tests, and frontend client code.
• API request types and helper functions realigned with the new endpoint structure.
• Documentation updated to reflect the new transport as the preferred method.

📱 Mobile & Auth UX Fixes (#62)

• Refactored authentication error handling for clearer failure modes.
• Improved CORS settings to aid debugging.
• ModalShell migrated to the Radix Dialog primitive with proper Title and Description for accessibility.
• Addressed mobile layout issues.
• Secret key format validation added.
• Consolidated styling on exported CSS tokens from the ux library (removes duplicated token definitions).

🔒 Security & Dependency Updates (#70, #67)

• Resolved security advisories GHSA-63/65/66 via coordinated bumps:
  • pytest / pytest-asyncio upgraded in requirements-test.txt.
  • dompurify bumped in frontend lockfile.
  • mermaid-validator dependencies refreshed.
• Removed unused event_loop fixture from conftest.py (follow-up to pytest-asyncio 1.x migration).
• Added Git hooks configuration and baseline dependency updates across frontend and backend (#67).

---

Upgrade Notes

• MCP clients should update their endpoint from /mcp/sse to /mcp/streamable/. The SSE endpoint is still present, but may be removed in future.
• No database migrations are required for this release.
• Frontend consumers benefit automatically from the smaller bundle — no config changes needed unless you want to run a bundle analysis (ANALYZE=1 npm run build).

Full Commit Log

bcae80d Bump version: 0.2.1 → 0.3.0
73ebde1 Merge PR #70  chore: security dependency updates (63/65/66)
0305f74 Merge PR #69  fix: MCP transport → Streamable HTTP
3680cef Merge PR #68  chore: frontend bundle optimization
d22ad45 Merge PR #67  chore: git hooks + dependency refresh (dependabot/rollup)
386f75d Merge PR #62  feat: mobile fixes + auth/modal refactor

v0.2.1

What's Changed

• Add LangFlow setup wizard and environment management by @glennbolton in #58
• Force latest image by @glennbolton in #60
• fix langflow key generation by @glennbolton in #61

Full Changelog: v0.2.0...v0.2.1

v0.2.0

What's Changed

• Bump version: 0.0.9 → 0.1.0 by @glennbolton in #55

Full Changelog: v0.1.0...v0.2.0

v0.1.0

What's Changed

• Hotfix/enrichment race cond by @glennbolton in #33
• Change timeline item schema to dictionary format by @glennbolton in #54

Full Changelog: v0.0.9...v0.1.0

v0.0.9

What's Changed

• Hotfix/quickstart errors by @glennbolton in #31
• Changed networking mode + CORS fix by @glennbolton in #32

Full Changelog: v0.0.8...v0.0.9